An opinion about Linux security

Paul Moore paul at paul-moore.com
Fri Dec 12 17:06:07 UTC 2025 

On Fri, Dec 12, 2025 at 11:12 AM Stephen Smalley
<stephen.smalley.work at gmail.com> wrote:
> On Fri, Dec 12, 2025 at 9:47 AM Timur Chernykh <tim.cherry.co at gmail.com> wrote:
> >
> > I’m lucky enough to have already built a working prototype, which I
> > once offered for review:
> >
> > https://github.com/Linux-Endpoint-Security-Framework/linux/tree/esf/main/security/esf
> > https://github.com/Linux-Endpoint-Security-Framework/linux/tree/esf/main/include/uapi/linux/esf
> >
> > Less lucky was the reaction I received. Paul Moore was strongly
> > opposed, as far as I remember. Dr. Greg once said that heat death of
> > the universe is more likely than this approach being accepted into the
> > kernel.
>
> Not seeing an actual response from Paul in the archives, but did you
> ever actually post patches to the list?

I was wondering about this too.  I searched through my sent mail and
while it's possible I'm missing some mail, the only conversation I see
with Timur is an off-list discussion from 2024 regarding changes in
the upstream kernel to support out-of-tree LSMs.  While Timur was
added to the conversation by someone, I don't see any mail from him in
that thread.  My comments in that thread are consistent with my
comments in on-list threads from around that same time when
out-of-tree code was discussed.  Here is a snippet from one of my
responses, which still holds true as far as I'm concerned:

 "As stated many times in the past, the LSM framework as
  well as the Linux kernel in general, does not provide the
  same level of consideration to out-of-tree code that it does
  to upstream, mainline code.  My policy on this remains the
  same as last time we talked: while I have no goal to make
  things difficult for out-of-tree code, I will not sacrifice
  the continued development and maintenance of existing
  upstream code in favor of out-of-tree code."

Searching for "Timur Chernykh" in all of the lore archives shows some
BPF related threads and the following LSM thread from June 2024:

https://lore.kernel.org/all/CABZOZnS13-KscVQY0YqqWZsBwmQaKyRO_G=kzCL8zc9jHxAC=A@mail.gmail.com

In this post Timur provides links to his ESF project on GitHub, but no
patches.  I see comments from Stephen, Tetsuo, Casey, and Dr. Greg; I
did not comment on that thread.

Beyond that, I'm a bit lost.  As far as I can remember, and both lore
and my own sent mail folder appear to support this, I've never
commented on ESF.  At this point I think Timur may be mistaken
regarding my commenting on ESF, but if I am wrong please provide a
lore link so I can refresh my memory.

-- 
paul-moore.com

More information about the Linux-security-module-archive mailing list